URL: https://github.com/freeipa/freeipa/pull/5138 Author: tiran Title: #5138: [Backport][ipa-4-8] Delay import of psutil to avoid AVC Action: opened
PR body: """ This PR was opened automatically because PR #5132 was pushed to master and backport to ipa-4-8 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5138/head:pr5138 git checkout pr5138
From 27ef9dc101ab3e37c1390b83c9459d78dc937779 Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Wed, 23 Sep 2020 08:46:44 +0200 Subject: [PATCH] Delay import of psutil to avoid AVC Commit cfad7af35dd5a2cdd4081d1e9ac7c245f47f1dce added a check to ensure a system has sufficient amount of memory. The feature uses psutil to get available memory. On import psutil opens files in /proc which can result in an SELinux violations and Python exception. PermissionError: [Errno 13] Permission denied: '/proc/stat' Fixes: https://pagure.io/freeipa/issue/8512 Signed-off-by: Christian Heimes <chei...@redhat.com> --- ipaserver/install/installutils.py | 4 +++- ipaserver/plugins/join.py | 4 ++-- ipaserver/setup.py | 1 + 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 0e304a490a..fcf8501a6e 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -29,7 +29,6 @@ import os import re import fileinput -import psutil import sys import tempfile import shutil @@ -1047,6 +1046,9 @@ def check_available_memory(ca=False): "Unable to determine the amount of available RAM" ) else: + # delay import of psutil. On import it opens files in /proc and + # can trigger a SELinux violation. + import psutil available = psutil.virtual_memory().available logger.debug("Available memory is %sB", available) if available < minimum_suggested: diff --git a/ipaserver/plugins/join.py b/ipaserver/plugins/join.py index eb0d309ac4..fa9a43b583 100644 --- a/ipaserver/plugins/join.py +++ b/ipaserver/plugins/join.py @@ -25,7 +25,7 @@ from ipalib import Command, Str from ipalib import errors from ipalib import _ -from ipaserver.install import installutils +from ipalib.constants import FQDN __doc__ = _(""" Joining an IPA domain @@ -60,7 +60,7 @@ class join(Command): validate_host, cli_name='hostname', doc=_("The hostname to register as"), - default_from=lambda: unicode(installutils.get_fqdn()), + default_from=lambda: FQDN, autofill=True, #normalizer=lamda value: value.lower(), ), diff --git a/ipaserver/setup.py b/ipaserver/setup.py index 5d4bf0895f..ff9cd81a7a 100644 --- a/ipaserver/setup.py +++ b/ipaserver/setup.py @@ -59,6 +59,7 @@ "jwcrypto", "lxml", "netaddr", + "psutil", "pyasn1", "requests", "six",
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org